of threats and risks are developed at
this stage. The impact and calculation
of residual risk in addition to the
identification of mitigation activities also
occurs during the security assessment.

The first step in a security risk
assessment is to identify prioritized
assets. Cybersecurity resources should be
devoted to the assets
that would cause
the most damage
to an organization
if they were to
be compromised.

The second
step is to identify
potential threats to
the assets. A threat is
simply an undesirable event aimed at an
asset or group of assets that could result
in loss, improper disclosure, or damage.

While a denial of service, malicious
code, and disclosure/exfiltration of data
are examples of cybersecurity threats,
fraud errors and sabotage are additional
threats to a company’s IT assets that are
physically based.

A threat to an organization is only
successful if a vulnerability is exploited,
either because of a flaw in an existing
control or because no control was
implemented. With this in mind, it should
be noted that threats do not cease to exist
when faced with strong cybersecurity
protocols. While threats associated with
our technological world do not necessarily
diminish, an organization’s ability to cope
with them and reduce risk increases with
levels of security strength.

Vulnerabilities, like controls, can be
administrative, physical, or technical in
nature. Administrative vulnerabilities relate
to design flaws in policies or procedures.

Risk is theloss to assets thatresults if a threatis successful. Thisis the core conceptof any securityprogram, the crux upon which all securityactivities and goals rest. Controls, alsoknown as safeguards, are the activities andtechniques employed by organizations toreduce risk. (A discussion of the relationshipbetween risk and controls will be furthercovered in the third article of this series.)

To complete a security assessment,
an assessor will conduct interviews with
relevant stakeholders. As threats, risks,
and their impacts become more complex,
it is important that an assessor collects
information beyond the IT department.

Everyone has a role to play in effective
cybersecurity practices. Documentation
regarding an organization’s administrative,
physical, and technical controls is
imperative to develop an understanding
of potential risks and threats and their
impact on an organization. Remember
identifying possible consequences is

A threat to anorganization isonly successful if avulnerability is exploited,either because of a flawin an existing controlor because no controlwas implemented.